Skip to content

fix: Security audit fixes for TokenConverter.sol#31

Open
rroland10 wants to merge 1 commit into
EthereumCommonwealth:mainfrom
rroland10:audit/token-converter-security-fixes
Open

fix: Security audit fixes for TokenConverter.sol#31
rroland10 wants to merge 1 commit into
EthereumCommonwealth:mainfrom
rroland10:audit/token-converter-security-fixes

Conversation

@rroland10

Copy link
Copy Markdown

Summary

  • Add access control to ERC20Rescue.rescueERC20() — was callable by anyone, now restricted to the extractor address only
  • Add reentrancy guard to ERC223WrapperToken transfer functions — prevents reentrant attacks via ETH forwarding and tokenReceived callbacks
  • Add zero-address checks to all transfer and transferFrom functions — prevents permanent token loss and _totalSupply accounting drift
  • Make wrapper_for immutable after first set() call — prevents origin token redirection in both ERC223WrapperToken and ERC20WrapperToken
  • Emit Transfer events in mint and burn — restores ERC20 standard compliance for off-chain indexers and block explorers
  • Apply checks-effects-interactions pattern — events emitted before external calls in transfer functions
  • Add safe underflow check in extractStuckERC20 — prevents revert on rebasing/fee-on-transfer token edge cases, with clear error message

Vulnerabilities Addressed

Severity Issue
Critical rescueERC20 had no access control — anyone could trigger token transfers to extractor
High Reentrancy via ETH forwarding + tokenReceived callback in ERC223 transfers
High Missing zero-address checks allowed permanent token burns without updating totalSupply
Medium set() could be called multiple times, allowing wrapper origin redirection
Medium extractStuckERC20 could revert on underflow for rebasing/fee tokens, locking stuck tokens permanently
Low Missing Transfer events in mint/burn broke ERC20 standard compliance

Test plan

  • Verify rescueERC20 reverts when called by non-extractor address
  • Verify reentrancy guard blocks recursive calls to transfer
  • Verify transfer and transferFrom revert on address(0) recipient
  • Verify set() can only be called once per wrapper token
  • Verify Transfer events are emitted correctly for mint and burn
  • Verify extractStuckERC20 reverts gracefully when no stuck tokens exist
  • Verify all existing conversion flows (wrap/unwrap ERC20<->ERC223) still work correctly

Made with Cursor

Address multiple vulnerabilities found during security audit:

- Add access control to ERC20Rescue.rescueERC20 (was callable by anyone)
- Add reentrancy guard to ERC223WrapperToken transfer functions
- Add zero-address checks to all transfer/transferFrom functions
- Make wrapper_for immutable after first set() call in both wrapper tokens
- Emit Transfer events in mint/burn for ERC20 standard compliance
- Move events before external calls (checks-effects-interactions pattern)
- Add safe underflow check in extractStuckERC20

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant